Pulling Shadow IT into the Light

Like it or not (and, according to an October Softchoice study, a majority of users do), Software as a Service—SaaS—is here to stay. The offloading of workloads onto SaaS providers can provide benefits all the way out from the data center to the end user. But cloud computing can create problems of its own, especially when it comes to shadow IT, the phenomenon of employees adopting applications on their own. Shadow IT introduces security risks—data leakage through improper use, for example—and takes control away from those who know how to mitigate the risks.

To address this issue, the focus of the IT department needs to change, according to Aaron Brooks, Director of Innovation at IT solutions and services provider Softchoice. With over two decades in the field, a background in networking, security, and wireless solutions engineering, and a mandate to stay aware of IT trends, Brooks has seen plenty of changes. What he sees when it comes to cloud computing today is "a dramatic shift" driven by the consumerization of IT.

Shadow IT: How it starts

The consumerization of IT drove the rise of shadow IT, according to Brooks. SaaS applications targeted at individuals or lines of business have become "very enticing" to users and teams facing pressure to "do more with less," he explained. The relative ease of adoption and use common to SaaS applications targeted at end users adds to the attraction

"It creates this environment where people say, 'Hey, I'm going to try this out and see if it works,' with the intention of bringing it up to the Powers That Be once they know it's successful," Brooks said, something that "never happens" in reality. Instead, a successful shadow IT application spreads rapidly through the organization. Then, somewhere down the road, an issue arises.

"They need support. That's when they call IT. And IT's like, 'We didn't even know this was happening,'" Brooks said.

But why was IT kept in the dark in the first place? To Brooks, the answer is twofold. It lies in the way organizations typically view IT, and the way IT itself operates.

Traditionally, Brooks explained, IT is seen as a gatekeeper and acts accordingly. The department can be "quick to find something outside the norm and want to shut it down," he said. And when a business problem arises and users request a new solution, "a lot of times, because of policy and security, compliance and budget and skills in IT, an answer isn't readily available," he said. End users, aware of this, circumvent IT to find their own solutions.

How administrators can address shadow IT

CIOs and IT departments need to shift their focus from gatekeeping to enabling, Brooks said. Instead of attempting internal development of purpose-built solutions for business problems, they should leverage their knowledge of existing technology to help units select and appropriately implement the right applications. By doing so, he explained, "they can apply the corporate governance and regulatory compliance pieces to SaaS to make sure that we've got the right policies in place" to protect corporate data and networks.

Brooks also recommends that administrators position themselves as educators within the organization. "We implore them to do things like write their own blog. Share information with lines of business around new technology advancements that they can use to be productive. If you can be that central source of intellect and awareness, you build the relationship that says 'I'm here to support you,'" he said. This relationship makes users and groups far more likely to approach IT with problems first, instead of circumventing the department without knowledgeable guidance.

Awareness of what shadow IT already exists is critical, too. "Knowing and understanding the adoption of SaaS applications and, with BYOD, how many unsanctioned devices are in your organization is a very important first step," Brooks said. Armed with information on who's adopting SaaS applications and who needs support, IT can reach out to the right people. As a CIO or administrator, he told me, "What I need to do is make sure we're being good corporate citizens, protecting corporate data, and ensuring longevity to the decisions you've made in your business."

This "service broker" model of IT is what Softchoice is in the business of providing through its consulting, implementation, and managed services offerings, as well as through Softchoice Cloud, through which "we allow customers to come and select from best-of-breed SaaS applications to meet their needs and provide a single portal and single sign-on for all their SaaS applications," he explained.

"Shadow IT is happening for a reason," Brooks said. In response to that, he insisted that "IT needs to become a service broker. You have to give choice, coupled with enough actionable insight for people to make the right decision. That's where IT can play a big part."